Cybersecurity valuation benchmarks are routinely misread. Not because the numbers are wrong, but because the wrong numbers are being used for the wrong companies.

Take Threat Intelligence. Public comps average 1.2x EV/Revenue. Private companies in the same niche average 16.6x. That is not a temporary dislocation. It is what happens when Rapid7 and PagerDuty, mature and profitability-constrained businesses, get used as benchmarks for AI-native detection platforms raising at eight to ten figures in the private market.

This pattern repeats across cybersecurity in different forms, and the distortions are significant enough to derail a valuation conversation before it starts.

This analysis covers 265 companies across 9 cybersecurity niches, segmented by public comps, private rounds, and M&A transactions, using Finro's Q2 2026 dataset.

Most cybersecurity valuation benchmarks cite one number. The average EV/Revenue across the 265 companies in this dataset is 15.7x. The median is 11.2x. That gap is not a statistical quirk. It is the first thing to understand before using any number in this analysis.

Problem 1: Averages overstate what most companies are actually worth.

The pattern repeats in every niche without exception. Cloud Security averages 22.7x but the median company in the segment trades at 18.6x. Application Security averages 15.4x with a median of 13.4x. Threat Intelligence averages 14.9x against a median of 10.2x. In every case, a small number of high-multiple companies at the top of each segment pull the average up while most companies trade significantly lower.

A founder anchoring to the average is benchmarking against the best companies in their niche, not against their actual peers. This matters most at the moment it is hardest to correct: mid-negotiation in a fundraise or an M&A process.

The solution is to start from the median and the percentile range, not the average. Identify where in the distribution your company sits based on revenue quality, retention, and growth efficiency. That is the number to anchor to.

Problem 2: The wrong public companies are being used as cybersecurity comps.

Several niches routinely include public companies that are not pure-play cybersecurity businesses. Leidos and BAE Systems appear in OT and IoT Security datasets because they operate in that space. But cybersecurity is a fraction of their total revenue, and both trade below 2x EV/Revenue for reasons that have nothing to do with OT security market dynamics.

The same distortion appears in Threat Intelligence. Rapid7 and PagerDuty average 1.2x EV/Revenue but are mature, profitability-constrained businesses with limited resemblance to the AI-native detection platforms currently raising at high private multiples. Treating them as benchmarks for early and growth-stage companies in the same niche produces a structurally wrong answer.

The solution is to screen your comp set by business model and revenue mix, not just by category label. A defense contractor and a pure-play OT security vendor are not comparable businesses. Using one to price the other understates value in a way that is difficult to recover from once the conversation has started.

The rest of this article uses average and median alongside the 25th and 75th percentile ranges, segmented by niche, market type, and funding stage, to give a more complete and more honest picture of where cybersecurity valuations actually sit in Q2 2026.

This analysis covers 265 cybersecurity companies across 9 niches, segmented by market type: public companies, private funding rounds, and M&A transactions. The data was compiled by Finro in Q2 2026 and covers EV/Revenue and EV/Funding multiples sourced from public filings, disclosed funding rounds, and transaction announcements. All revenue figures represent the most recent available annual or ARR data at the time of compilation.

EV/Revenue: what it measures and what it signals

EV/Revenue divides a company's enterprise value by its annual revenue. It is the primary valuation metric in cybersecurity because most high-growth companies in the sector are pre-profit or early in their profitability journey. Margins are reinvested into R&D and go-to-market, which makes EBITDA an unreliable anchor for comparison.

For an investor, EV/Revenue signals how much the market is willing to pay for each dollar of current revenue, based on expectations about future growth, retention, and margin expansion. A high EV/Revenue multiple reflects strong conviction in the company's trajectory. A low multiple reflects either maturity, execution risk, or both. In cybersecurity specifically, EV/Revenue also captures the premium the market assigns to mission-critical platforms versus point solutions — a distinction that shows up clearly in the niche-level dispersion throughout this analysis.

EV/Funding: what it measures and what it signals

EV/Funding divides a company's enterprise value by its total capital raised to date. It does not measure revenue performance. It measures capital efficiency: how much enterprise value has been created per dollar of investor capital deployed.

For an investor, EV/Funding answers a different question than EV/Revenue. It asks whether the capital structure is working. A company with a high EV/Revenue multiple but a low EV/Funding multiple has built strong revenue but consumed a disproportionate amount of capital to do it. A company with a high EV/Funding multiple has created significant value relative to what it raised, which signals either capital discipline, early product-market fit, or both. Used together, EV/Revenue and EV/Funding give a more complete picture of both market positioning and operational efficiency than either metric alone.

Cybersecurity is not one valuation market. It is three, each pricing the same underlying businesses through a different lens. Understanding which regime you are operating in — or being valued against — is the single most important framing decision before any benchmark conversation begins.

Public markets: the discipline floor

The 26 publicly traded cybersecurity companies in this dataset average 9.2x EV/Revenue. The median is 6.3x. The public market is the most transparent of the three regimes, with daily pricing, analyst coverage, and direct comparability to profitability metrics. That transparency tends to compress multiples. Investors can exit at any time, which means they price risk continuously rather than locking it into a single transaction.

The public average is also distorted by one outlier at the top. Palo Alto Networks trades at 37.8x, pulling the mean up by more than 3 points. Strip it out and the public average falls to around 8.1x. For most cybersecurity companies considering a public market comp set, the median of 6.3x is the more honest anchor.

Private markets: the growth premium

The 157 private companies in this dataset average 15.4x EV/Revenue with a median of 12.5x. The gap between average and median is narrower than in the other two regimes, which means the private market distributes value more evenly across companies. The premium over public comps is real and structural: private investors price growth potential and narrative, not current profitability. The cost of that premium is illiquidity and execution risk, which both parties understand going in.

The bottom quartile of private companies trades at 7.3x, overlapping with public market territory. The top quartile reaches 18.5x. That 11x spread between the 25th and 75th percentile is where most of the interesting valuation work happens, because most private cybersecurity companies sit somewhere in that range and the spread reflects genuine differences in growth quality, retention, and market position.

M&A: average high, median lower than private

The M&A data contains the most counterintuitive finding in this dataset. The 79 M&A transactions average 18.8x EV/Revenue, the highest of the three regimes. But the median is 11.2x, which is below the private median of 12.5x.

That gap between M&A average and median tells a specific story. Most cybersecurity acquisitions close at or below private market values. Acquirers are disciplined. But a relatively small number of platform-level transactions, Wiz at 26.7x, CyberArk at a significant premium, Armis at 22.8x, pull the average up dramatically. The top quartile of M&A deals reaches 23.5x. The maximum in the dataset is 117.5x, a small-revenue acquisition where the buyer was paying for capability, not scale.

The practical read: if you are a cybersecurity company expecting to exit via M&A at a premium to your private valuation, you need to be in the top quartile of transaction outcomes, not the median. The median M&A deal does not deliver that premium.

The 9.7x average in Network Security and the 22.7x average in Cloud Security are not random — they reflect structural differences in how each niche creates value, how concentrated the buyer base is, and how much scarcity premium the market assigns to the leading platforms. This section examines the niches where those dynamics are most pronounced.

Cloud Security: the premium niche

Cloud Security averages 22.7x EV/Revenue across 16 companies, the highest of any niche in the dataset. The median of 18.1x is also the highest, which means the premium is not driven by a single outlier — it reflects a genuine market-wide conviction in the category.

The M&A data is where the story sharpens. Cloud Security M&A averages 31.0x and the top quartile of transactions reaches 31.7x. The $32B Google/Wiz deal at 26.7x set the benchmark, but it was not an anomaly. Cisco's acquisition of Splunk at 6.6x and Palo Alto's acquisition of Lightspin at 37.0x show the range. Hyperscalers and platform consolidators are paying above private market levels because cloud security assets with genuine platform characteristics are scarce, and the cost of building rather than buying is rising.

For private cloud security companies, the practical read is that the M&A market is your best exit path, not the public market. Public cloud security companies in this dataset average only 16.4x, close to the private average of 16.2x. The premium is concentrated at the M&A layer.

Identity and Access Management: the consolidation niche

IAM averages 16.8x across 29 companies and leads all niches with 15 M&A transactions — more than any other segment in the dataset. The M&A average of 20.1x significantly outpaces the private average of 14.1x and the public average of 8.0x.

The drivers are structural. Zero-trust architecture requires identity to function as the primary security perimeter rather than a supporting layer. AI agent proliferation has created a new and rapidly growing surface area in non-human identity: every autonomous agent requires provisioning, monitoring, and access controls. Neither trend is slowing, and neither is generating enough pure-play public market supply to satisfy strategic buyer demand.

The public IAM multiple of 8.0x, anchored by Okta at a compressed multiple following its Auth0 integration challenges, understates the actual market for IAM assets. The M&A data is the more honest benchmark for any IAM company entering a transaction process.

Threat Intelligence: the bifurcated niche

Threat Intelligence has a 14.9x average and a 10.1x median across 50 companies — the largest private universe in the dataset. Those headline numbers conceal the sharpest split in the analysis.

Public comps average 1.2x. Rapid7 trades at 1.0x and PagerDuty at 1.5x. Both are mature, profitability-constrained businesses operating in a market that has moved significantly since they were built. Private peers average 16.6x, a 13.8x gap from public comps that is not a valuation error. It is two different markets pricing two different generations of technology.

M&A transactions average 11.4x, below the private market average of 16.6x. This is the most important data point in the niche. Acquirers are not paying the private market premium for most Threat Intelligence assets. The buyers are disciplined: Mastercard acquired Recorded Future at 7.8x, ReliaQuest acquired Digital Shadows at 10.3x, and Broadcom acquired Symantec's enterprise business at 4.7x. The AI-native platforms at the top of the private market, Abnormal Security at 25.5x and Arctic Wolf at 6.6x, are priced by investors at levels that the M&A market has not yet validated at scale.

Network Security and GRC: the compression niches

Network Security averages 9.7x with a median of 8.7x. GRC averages 10.7x with a median of 8.7x. Both sit at the bottom of the niche rankings and for different reasons.

Network Security is incumbent-heavy. Cisco, Palo Alto Networks, Fortinet, and Check Point collectively define the category, and their combined scale makes it difficult for challengers to command premium multiples without a clear platform differentiation story. Palo Alto at 22.7x is the exception that proves the rule: it trades at more than double the niche average because it has successfully positioned as the platform consolidator, not a point solution vendor.

GRC has no public comps in this dataset. The segment is almost entirely private and M&A. The 10.7x average reflects a niche where regulatory demand is durable but largely undifferentiated. NIS2 and DORA are creating real buying urgency across European enterprises, but the compliance automation market is crowded and the switching costs between platforms are lower than in technical security niches. Both factors compress multiples.

The remaining niches, Endpoint Security, Application Security, Data Security, and OT/IoT Security, each carry their own structural dynamics. The full breakdown across all 265 companies is in the dataset.

The OT and IoT Security niche has a 14.6x overall average and a 12.2x median. Both numbers are reasonable and consistent with mid-tier cybersecurity niches. The public average of 1.3x is not.

That 1.3x figure comes from a single public company in the dataset with meaningful OT security exposure. The defense and aerospace contractors most commonly cited as OT security public comps, Leidos and BAE Systems, generate the majority of their revenue from government contracts, hardware programs, and IT services that have nothing to do with operational technology security. Their low EV/Revenue multiples reflect that business mix, not the market's view of OT security as a category.

The consequences of using those numbers as benchmarks are significant. A pure-play OT security platform entering a transaction process anchored to 1.3x public comps is starting the conversation at roughly one-fifteenth of what the M&A market is actually paying. The 15 pure-play private companies in this dataset average 12.3x.

The 6 M&A transactions average 19.9x. Mitsubishi's acquisition of Nozomi Networks at 15.7x, ServiceNow's acquisition of Armis at 22.8x, and Honeywell's acquisition of SCADAfence at 6.5x show the actual range of outcomes for pure-play OT platforms.

The practical implication extends beyond OT/IoT. Any niche that includes large diversified companies — defense contractors, telcos, large-cap IT services firms, as public comps will produce a structurally distorted benchmark. The discipline is to screen by revenue mix before anchoring to any public multiple. If cybersecurity is less than 30 percent of a company's total revenue, it is not a cybersecurity comp.

Cybersecurity valuations do not scale linearly with funding stage. They compress. Seed-stage companies in this dataset carry a median EV/Revenue of 15.5x — the highest of any stage. That multiple declines steadily through Series A (13.6x) and Series B (13.3x) to a floor at Series C (12.7x), before a modest recovery at Series D+ (12.9x). The direction is clear and consistent: the earlier the stage, the higher the multiple.

The compression reflects a straightforward dynamic. Early-stage cybersecurity investors are pricing narrative, category potential, and team quality — inputs that are inherently forward-looking and generous. As companies scale through successive rounds, the market shifts its focus from potential to execution. Revenue quality, retention, and path to profitability become the dominant inputs. Each of those metrics is harder to sustain at scale than it was at Series A, and the multiples reflect that.

Series B is where the market does its most aggressive sorting. The median of 13.3x sits in line with the broader stage trend, but the distribution underneath it is the widest in the dataset: the bottom quartile trades at 7.4x while the top quartile reaches 24.3x. That 16.9x interquartile spread is nearly double the spread at Series C and Series D+. At Series B, investors are still deciding which companies are building defensible platforms and which are well-funded point solutions, and the pricing reflects that uncertainty aggressively.

The Seed average of 18.1x deserves specific attention because it overstates what most Seed-stage cybersecurity companies are actually worth. Two outliers, Minimus/Gutsy at 43.9x on a $51M seed raise and Qevlar AI at 43.2x, pull the average well above the median of 15.5x. The median and the interquartile range are the more reliable anchors at this stage.

Series D+ companies trade at a median of 12.9x, just 0.2x above Series C. The gap between late-stage private and public market benchmarks is narrower than most founders assume. Public cybersecurity companies in this dataset average 9.2x. Strip the public outliers and that number compresses further. Investors pricing Series D+ rounds at 18x or above are implicitly betting on an M&A exit at a premium, the public market re-rating path has largely closed at that valuation level.

The 79 M&A transactions in this dataset average an EV/Revenue of 18.8x. The median is 11.2x. That 7.6x gap between average and median is the largest of any market type in the analysis, and it tells a specific story about how the cybersecurity M&A market is structured. A small number of platform-level transactions at significant premiums coexist with a large volume of disciplined, below-private-market acquisitions. Understanding which category your company falls into is the most important question in M&A planning for a cybersecurity founder.

Where acquirers are paying above private market

Four niches show M&A multiples exceeding private-market averages. Cloud Security leads at 31.0x M&A versus 16.2x private, a 14.8x premium. Data Security follows at 29.2x M&A versus 17.7x private, an 11.5x premium. OT and IoT Security M&A averages 19.9x, compared with 12.3x in private, a 7.6x premium. IAM M&A averages 20.1x, versus 14.1x for private, a 6.0x premium.

The common thread across all four is asset scarcity. Cloud Security platforms with genuine CNAPP or SSE capabilities at scale are limited in supply. Pure-play OT security vendors with enterprise traction are rare. IAM platforms with non-human identity and AI agent coverage are even rarer. When strategic buyers compete for scarce assets, premiums follow. The Google/Wiz deal at 26.7x, the ServiceNow/Armis deal at 22.8x, and the Mitsubishi/Nozomi deal at 15.7x all reflect buyers paying for access to capabilities they cannot build fast enough.

Where acquirers are paying below private market

Three niches show M&A multiples below their private market averages. Threat Intelligence is the most significant: M&A averages 11.4x versus 16.6x private, a 5.2x discount. Endpoint Security M&A averages 13.0x versus 15.5x private. Application Security M&A averages 14.8x versus 16.4x private.

In Threat Intelligence, the gap reflects a specific tension. Private investors have priced the category at AI-native platform multiples. M&A buyers are not. Mastercard acquired Recorded Future at 7.8x. Thoma Bravo acquired Darktrace at 8.2x. ReliaQuest acquired Digital Shadows at 10.3x. The acquirers are pricing execution risk and commoditization pressure, outcomes that private round valuations do not incorporate. For Threat Intelligence founders expecting to exit at private market multiples, the M&A data is a significant reality check.

The bifurcating deal market

Eight cybersecurity transactions exceeded $1B in 2025 alone, accounting for the majority of total M&A deal value. Below that threshold, the market is highly active but disciplined: most transactions close sub-$200M, driven by capability acquisitions and tuck-ins rather than platform consolidation. The middle market — deals between $200M and $1B — has thinned considerably.

For a cybersecurity company targeting a $300M to $700M exit, this bifurcation creates a specific challenge. The mega-deal buyers (hyperscalers, large platform vendors) are acquiring at the top. The tuck-in buyers are acquiring at the bottom. The strategic acquirers who would historically have paid mid-market prices are either sitting out or waiting for valuations to reset further. Mid-market exit liquidity in cybersecurity is the thinnest it has been in several years.

Valuation benchmarks are only useful if they are applied to the right context. The most common mistake is not using the wrong number — it is using the right number in the wrong situation. Here is how to avoid that.

Start from market type, not niche average.

The first question is not what niche you are in. It is which market type is relevant to your situation. A founder raising a Series B is operating in the private market. A company entering an M&A process is operating in the transaction market. A CFO building a public company comp set is operating in the public market. Each of those conversations requires a different benchmark, and the gaps between them in cybersecurity are large enough to derail a valuation discussion if the wrong one is used as the starting point.

Screen your comp set before you anchor to it.

Once you know your market type, the next step is to verify that the companies in your benchmark set are actually comparable. Niche label is not enough. A company classified as OT Security that generates 80 percent of its revenue from defense contracts is not a cybersecurity comp. A Threat Intelligence company that is profitable and growing at 8 percent annually is not a benchmark for an AI-native detection platform growing at 60 percent. Business model, revenue mix, growth rate, and retention profile all need to pass a basic comparability test before a multiple is meaningful.

Know where in the distribution you sit.

The median is the starting point, not the answer. Every niche in this dataset has a wide interquartile range, and most of the interesting valuation work happens within that range. A Series B cloud security company with 120 percent net revenue retention and 80 percent gross margins belongs in the top quartile conversation. A Series B cloud security company with 90 percent retention and 65 percent margins belongs in a different one. The multiple you anchor to should reflect that, not the niche average.

Stress-test your private valuation against M&A data before you need to.

The gap between private and M&A multiples in several niches is large enough to create real problems for companies that have not modeled it in advance. Threat Intelligence private companies average 16.6x. Threat Intelligence M&A transactions average 11.4x. A company that has raised at 16x and is planning an M&A exit in 18 months needs to understand that gap before the process starts, not during it. Run the M&A transaction data against your current valuation and model what an exit at median, top quartile, and premium outcomes would actually look like for your cap table. That exercise will change how you think about your next round